Oh the security....
"Some mission-critical enterprise apps will not lend themselves to cloudification and security concerns for some will trump cost considerations. But why would you not use cloud versions of software such as CRM, email, billing and office apps?"
This is all from a very jaundiced security perspective, and it is only scratching the surface.
Due Dilligence.
A good starting point is probably ISO27K certification to verify that the controls are documented and then SOC1 and SOC2 certification to verify that the controls are being operated effectively. Map this to a not uncommon scenario where the 'service provider' you are dealing with is using compute infrastructure from a second party who is, in turn, using physical facilities from a third party. The physical guys may have heard about SOC1 and may well have ongoing certification because it's good for business, the layer up may have heard of ISO27K and are likely to be getting certification 'any time now' but a SOC2 will bring a wrinkle to their brow. The organisation that your business wants to deal with is looking at you blankly on all fronts.
Stop that or you will go blind.
Are you getting on top of your network/system/application/user/admin/.... monitoring? Have a SIEM and starting to get some value out of it? Factored that into your Cloud solution? So you have events arriving via syslog or you are polling using WMI to get a view of your assets that is comparable to that which you get with on-premise solutions? Dream on.
Dependence on exposed services.
Calling web services or doing other fancy stuff with DNS resolution on public DNS servers? Are you factoring in the risk of these services being compromised? The more entangled you get from an infrastructure perspective with your cloud service provider the greater the likelihood that you will have to start looking at these issues.
Human resources.
Disgruntled employees. Is it a concern for you within your organisation, how do you deal with them? How do all the potential organisations in your supply chain deal with them (see Due Dilligence).
Procurement.
There are some interesting challenges here. Is the cloud provider signing a contract with you are are you signing a contract with them, if the latter then you are going to have very little control. The whole due dilligence here will also be way beyond your procurement folk and concepts like data sovereignty are going to take a lot of explaining. If you are also moving into an environment where date breaches can attract serious penalties (like here in the land of Vulture South) then you have to try and factor that into the contractual arrangements.
Contract Management.
So you have a contract. Fabulous. Has anyone seriously seen all the clauses in the contract managed and enforced? Have you estimated how much effort that will take given that you have lost visibility of a lot of things that are important?
Conclusions...
"CRM, email, billing and office apps". These are all probably significant if you have data breach legislation.
Is it really worth the effort?